The Apache Software FoundationBlogging in Action.

The Apache CloudStack Blog

This week, we had discussions about the release cycle and whether a six-month cycle may be more appropriate. Work continued on the 4.1.0 release, and Apache CloudStack 4.0.2 was released.

Major Discussions

Several major discussions this week, summarized below. Note that this is only a fraction of the activity in the project. For a full overview of project activity, you may want to subscribe to dev@cloudstack.apache.org.

I still see there is difference of opinion and not a clear consensus with 12 out
of 21 ( approx. 60%) preferring 6 months. But going by the argument of not
having given proper shot to 4 month cycle I will say we can keep 4.2 as a 4
month cycle and pull in all effort to make it successful. If it turns out that
we can work with 4 month schedule that's well and good otherwise we can bring
this topic again based on the results of running 4 month cycle.

4.1.0 Approaches

After clearing out a number of last-minute blockers, it looks like 4.1.0 may be just about ready to roll. Chip Childers posted on Friday that he was waiting on confirmation on CLOUDSTACK-528 and CLOUDSTACK-2194 being fixed. If those are fixed, Chip says he will "proceed with starting the VOTE thread" Monday morning, Eastern time.

Security Vulnerabilities in CloudStack 4.0.x

Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:

1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.

2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.

Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.

Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.

Exposing APIs that carry POST data

Prasanna Santhanam raised a discussion about adding the ability to send user data as POST to commands.

I'm guessing we'll have to put in additional annotations on our APIs
that support POST so that API discovery can print the methods
supported (GET/POST). Right now it's only the deployVMCmd (AFAIK). But
I expect this will need to be done for others soon.

I've included POST support for every command in marvin but that's
just brute-force. To make it more intelligent I think we should apply
it to only apis that make sense as POST (causing side-effects). But
that needs to be exposed by the api endpoint.

Enabling GitHub Pull Request Notification

A discussion was brought up on dev@ this weekend about enabling notifications for pull requests made via GitHub. David Nalley remarked that in his opinion, "there really isn't an option - if we are going to have a GitHub mirror, we also need to be able to deal with the pull requests there. Ignoring folks that submit pull requests is inappropriate."

CloudStack Planet - Posts from the CloudStack Community

More Fun with the CloudStack API - Kirk Jantzer writes about playing with the CloudStack API and writing a tool "in an effort to make deployment of a mass amount of servers with as little effort as possible."

Thanks to the Apache CloudStack community! - Shane Curcuru writes about the Apache CloudStack graduation and its incubation. "The desire to get things 'right' at Apache was clear in everything the CloudStack community did, and the end result looks to be an incredibly strong project that’s quickly gathering developers from a wide variety of vendors and users. Part of this growth is about the great technology; but a lot is due to the helpful and welcoming face that the CloudStack committers put on their project."

New Committers and PMC Members

No new committers or PMC members announced this week.

Contributing to the Weekly News

Want to keep reading the CloudStack Weekly News? Many hands make light work, but having only one editor means getting the weekly news out every week is a "best effort" activity. A healthy community publication needs several contributors to ensure weekly issues go out on time.

If you have an event, discussion, or other item to contribute to the Weekly News, you can add it directly to the wiki by editing the issue you want your item to appear in. (The next week's issue is created before the current issue is published - so at any time there should be at least one issue ready to edit.)

Alternatively, you can send a note to the marketing@cloudstack.apache.org mailing list with a subject including News: description of topic or email the newsletter editor directly (jzb at apache.org), again with the subject News: description of topic. Please include a link to the discussion in the mailing list archive or Web page with details of the event, etc.